AWS Route 53

From Indie IT Wiki

SPF Verification

SPF hard fail example...

v=spf1 ip4: -all

In the above example the minus "-" in front of "all" means that any senders not listed in this SPF record should be treated as a "hardfail", ie. they are unauthorised and emails from them should be discarded. In this case only the IP address is authorized to send emails.

SPF soft fail example...

v=spf1 ~all

In the above example the tilde "~" in front of "all" means that any servers not listed in this SPF record should be treated as a "softfail", ie. mail can be allowed through but should be tagged as spam or suspicious. In this case the authorizes Office 365 to send emails. Any emails originating from different servers should be marked as spam by the receivers.

DKIM Verification

Command Line


There is an unofficial, well maintained command line app called cli53.

cli53 provides import and export from BIND format and simple command line management of Route 53 domains.


  • import and export BIND format
  • create, delete and list hosted zones
  • create, delete and update individual records
  • create AWS extensions: failover, geolocation, latency, weighted and ALIAS records
  • create, delete and use reusable delegation sets

Latest version: 0.8.18 (17 JAN 2021)

Install software...

wget -O cli53
sudo install -m 755 ./cli53 /usr/local/bin/cli53


To configure your Amazon credentials, either place them in a file ~/.aws/credentials:

[default] aws_access_key_id = AKID1234567890 aws_secret_access_key = MY-SECRET-KEY

Export Zone File As TXT

List domain name zones...

cli53 list --profile default

Export domain name zone...

cli53 export --full --profile default

Adding Zones

cli53 create --comment 'my first zone'

Adding Records

A record...

cli53 rrcreate 'www 60 A'

MX record...

cli53 rrcreate '@ MX 10 mail1.' '@ MX 20 mail2.'

A record using specific AWS profile...

cli53 rrcreate --profile profilename 'www 60 A'

CNAME record using specific profile. For CNAME records, relative domains have no trailing dot, but absolute domains should...

cli53 rrcreate --profile profilename 'host CNAME data'
cli53 rrcreate --profile profilename 'host CNAME'

Editing Records

cli53 rrcreate --replace 'www 60 A'

Deleting Records

cli53 rrdelete www A
cli53 rrdelete @ MX

Redirect Domain Using S3

Route 53 Hosted Zone -> A Record ALIAS -> S3 Bucket Endpoint -> Static Website Hosting -> Redirect Requests -> Domain

Make sure you create a bucket with the same subdomain as well.

e.g. -> bucket with exact same name -> bucket with exact same name

Thanks -

Use GANDI Free Email Forwarding

The domain registrar, gandi, provides 2 free e-mail addresses per domain, and unlimited forwarding accounts.

While your domain may be hosted on AWS (using aws nameservers), you can update the dns configuration to point to gandi's mail servers, and setup and manage all your domain name e-mail addresses from gandi's console.

This is managed in you aws console under Route53, Hosted Zones. You'll then want to create two record sets for the domain as follows:

Type	Alias	TTL	Value                                         Routing Policy
MX	No	10800	10                      Simple
MX	No	10800	50                         Simple
TXT	No	10800	"v=spf1 ?all"     Simple